[Snort-users] dr's futuresnort wish list

Fyodor fygrave at ...121...
Mon Aug 21 16:03:20 EDT 2000


~ :ps.
~ :Of course, with a rule within a rule...the colon problem is going to HAVE 
~ :to be solved first (c:
~ :

Eeek.. :-) okay, I looked at the code and found that due to some mystic
reason expected number of tokens while splitting an option was set to be
4. *Mysteries of snort internals* ;-P

 In my understaning it never should me more than 2 (we don't don't support
rule options like `keyword: "blah" : "blah" : "blah"). Patch below (for
snort-1.6.3) should fix this problem. I will commit it to snort-current
shortly and update the tarball at snort.sourceforge.net :)


--- rules.c.orig	Tue Aug 22 02:57:17 2000
+++ rules.c	Tue Aug 22 02:57:20 2000
@@ -1346,7 +1346,7 @@
 #endif
 
             /* break out the option name from its data */
-            opts = mSplit(toks[i], ":", 4, &num_opts,'\\');
+            opts = mSplit(toks[i], ":", 2, &num_opts,'\\');
 
 #ifdef DEBUG
             printf("   option name: %s\n", opts[0]);
 





More information about the Snort-users mailing list